Skip to content

irongut/secure-workflows

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1,030 Commits
.github/workflows
.github/workflows
 
 
Automate-PR
Automate-PR
 
 
cloudformation
cloudformation
 
 
images
images
 
 
kbanalysis
kbanalysis
 
 
knowledge-base
knowledge-base
 
 
testfiles
testfiles
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
actionmetadata.go
actionmetadata.go
 
 
actionmetadata_test.go
actionmetadata_test.go
 
 
addaction.go
addaction.go
 
 
addaction_test.go
addaction_test.go
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
helpers.go
helpers.go
 
 
issue.go
issue.go
 
 
issue_test.go
issue_test.go
 
 
main.go
main.go
 
 
main_test.go
main_test.go
 
 
metadata.go
metadata.go
 
 
metadata_test.go
metadata_test.go
 
 
permissions.go
permissions.go
 
 
permissions_test.go
permissions_test.go
 
 
pinactions.go
pinactions.go
 
 
pinactions_test.go
pinactions_test.go
 
 
pindocker.go
pindocker.go
 
 
pindocker_test.go
pindocker_test.go
 
 
secrets.go
secrets.go
 
 
securedockerfile.go
securedockerfile.go
 
 
securedockerfile_test.go
securedockerfile_test.go
 
 
secureworkflow.go
secureworkflow.go
 
 
secureworkflow_test.go
secureworkflow_test.go
 
 
workflow.go
workflow.go
 
 
workflow_test.go
workflow_test.go
 
 

Repository files navigation

Maintained by stepsecurity.io codecov License: AGPL v3

Quickstart Functionality Overview Roadmap

An open platform to update your CI/CD pipelines to comply with security requirements.

If you use GitHub Actions, use can use SecureWorkflows to:

Support for GitLab, CircleCI, and more CI/CD providers will be added in the future. Check the Roadmap for details.

In the News

Quickstart

Using app.stepsecurity.io

To secure your GitHub Actions workflow:

  • Copy and paste your GitHub Actions workflow YAML file at https://app.stepsecurity.io
  • Click Secure Workflows button
  • Paste the fixed workflow back in your codebase

GitHub App to create pull requests will be released soon. Check the Roadmap for details.

Secure workflow screenshot

Integration with OpenSSF Scorecard

Secure workflow Scorecard integration screenshot

Functionality Overview

SecureWorkflows API

  • Takes in a GitHub Actions workflow YAML file as an input
  • Returns a transformed workflow file with fixes applied
  • You can select which of these changes you want to make

1. Automatically set minimum GITHUB_TOKEN permissions

Why is this needed?

Before and After the fix

Before the fix, your workflow may look like this (no permissions set)

jobs:
  closeissue:
    runs-on: ubuntu-latest

    steps:
      - name: Close Issue
        uses: peter-evans/close-issue@v1
        with:
          issue-number: 1
          comment: Auto-closing issue

After the fix, the workflow will have minimum permissions added for the GITHUB token.

permissions:
  contents: read

jobs:
  closeissue:
    permissions:
      issues: write # for peter-evans/close-issue to close issues
    runs-on: ubuntu-latest

    steps:
      - name: Close Issue
        uses: peter-evans/close-issue@v1
        with:
          issue-number: 1
          comment: Auto-closing issue

How does SecureWorkflows fix this issue?

  • SecureWorkflows stores the permissions needed by different GitHub Actions in a knowledge base
  • It looks up the permissions needed by each Action in your workflow, and sums the permissions up to come up with a final recommendation
  • If you are the owner of a GitHub Action, please contribute to the knowledge base

2. Pin Actions to a full length commit SHA

Why is this needed?

Before and After the fix

Before the fix, your workflow may look like this (use of v1 and latest tags)

jobs:
  integration-test:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v1
      - name: Integration test
        uses: docker://ghcr.io/step-security/integration-test/int:latest

After the fix, each Action and docker image will be pinned to an immutable checksum.

jobs:
  integration-test:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@544eadc6bf3d226fd7a7a9f0dc5b5bf7ca0675b9
      - name: Integration test
        uses: docker://ghcr.io/step-security/integration-test/int@sha256:1efef3bbdd297d1b321b9b4559092d3131961913bc68b7c92b681b4783d563f0

How does SecureWorkflows fix this issue?

  • SecureWorkflows automates the process of getting the commit SHA for each mutable Action version or Docker image tag
  • It does this by using GitHub and Docker registry APIs

3. Add Harden-Runner GitHub Action to each job

Why is this needed?

Harden-Runner GitHub Action installs a security agent on the Github-hosted runner to prevent exfiltration of credentials, monitor the build process, and detect compromised dependencies.

Before and After the fix

Before the fix, your workflow may look like this

jobs:
  closeissue:
    runs-on: ubuntu-latest

    steps:
      - name: Close Issue
        uses: peter-evans/close-issue@v1
        with:
          issue-number: 1
          comment: Auto-closing issue

After the fix, each workflow has the harden-runner Action added as the first step.

jobs:
  closeissue:
    runs-on: ubuntu-latest

    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@v1
        with:
          egress-policy: audit

      - name: Close Issue
        uses: peter-evans/close-issue@v1
        with:
          issue-number: 1
          comment: Auto-closing issue

How does SecureWorkflows fix this issue?

SecureWorkflows updates the YAML file and adds Harden-Runner GitHub Action as the first step to each job.

Roadmap

About

Open platform to update your CI/CD pipelines to comply with security requirements

app.stepsecurity.io

Resources

Readme

License

AGPL-3.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Go 56.2%
  • TypeScript 43.6%
  • Dockerfile 0.2%